Distribution overview
How modules work โ Execute, DryRun, Validate, Rollback. Fan-out concurrency, batch sizing, post-distribution validation, and how distribution failures interact with renewal.
Distribution primitives
The reusable objects every distribution composes from: Path Sets (where files land), Action Sets (what runs after), Module Credentials (auth material), Project Variables (per-environment values), Validation Endpoints (post-deploy TLS fingerprint check), and the Fan-out execution model. Define each once; reuse across dozens of targets and certificates.
Targets & groups
A target is one concrete endpoint of a given module type โ an SSH host, a K8s cluster, an F5 BIG-IP management URL, a Vault instance. A target group is a named collection of targets for bulk distribution. Both live under Settings โ Distribution.
Fan-out execution
How large distributions are split into parallel batch child jobs: the fan-out threshold, per-target retry with error classification, aggregate status computation, and the dedicated distribution worker lane.
Post-distribution validation
Per-target validation endpoints that verify the deployed certificate is actually being served: TLS fingerprint checks with SNI, configurable retries, SSRF protection, and automatic status downgrade to partial on failure.
Module health checks
What the per-module health check verifies (connectivity + authentication, per target), how to run it from the UI or API, and what a green result does not guarantee.
Rollback
Which modules can restore the previous certificate (SSH, Kubernetes, Vault), how manual and automatic rollback work, where rollback metadata lives, and backout patterns for non-reversible modules.
SSH module
The SSH module copies the certificate + private key + chain to a target host using SCP/SFTP, then runs post-deployment actions (typically systemctl reload nginx or equivalent). It is the most-used distribution module and the only one with full rollback โ every file we overwrite is first saved as .bak, so a rollback restores the exact previous state.
Kubernetes module
Deploy a certificate as a kubernetes.io/tls Secret in one or more clusters. Works with in-cluster service-account auth (when CertAutoPilot itself runs on Kubernetes) or with inline kubeconfig for external clusters. Multi-cluster is supported via multiple targets.
Microsoft IIS module
Deploys certificates to Windows Server IIS over WinRM: imports the PKCS#12 into the local machine certificate store and updates the site's HTTPS binding(s) โ one binding, all matching bindings, or an explicit host-header list. Works with Windows Server 2016+.
Windows (WinRM) module
Deploy any file to any Windows path, then run PowerShell post-deploy scripts. The Windows sibling of the SSH module โ same PathSet + ActionSet operator UX, different transport. Distinct from the IIS module, which is dedicated to IIS binding lifecycle.
F5 BIG-IP module
Uploads cert + key + chain to F5 BIG-IP LTM via iControl REST and creates or updates the named SSL profile's certKeyChain. Supports TMOS 13.0+, partition scope, and intermediate-chain handling with fingerprint-based naming to avoid duplicate objects.
NetScaler (Citrix ADC) module
Uploads cert + key to NetScaler ADC over NITRO REST, creates the sslcertkey object, chains intermediate certificates with fingerprint-based global names to survive multi-cert deployments. Updating an existing certkey in place preserves its vserver bindings automatically; newly created certkeys must be bound to vservers manually.
HashiCorp Vault module
Writes certificate + key + chain into a Vault KV secret path (KV v1 or v2, selected per target). On KV v2 it uses Vault's built-in version history for rollback โ one of the few modules where rollback is a first-class operation rather than manual cleanup. Supports Token and AppRole authentication.
Webhook module
Delivers a certificate payload to any HTTP endpoint โ the escape hatch for targets that don't fit one of the other modules. You configure the URL, headers, payload template, timeout, and retry count; the receiving system owns persistence and rollback.
Huawei Cloud module
Uploads a certificate to Huawei Cloud's native certificate store and attaches it to one or more ELB listeners, CDN domains, or WAF hosts. Uses AK/SK (access key + secret key) authentication scoped to the region where your resources live.
SMTP module
Emails the issued certificate artefact to one or more recipients after every successful renewal. Useful for key-ceremony hand-off, compliance archive mailboxes, and ops DLs that don't have an API integration. Not a notification โ the SMTP module ships the certificate bytes themselves (PEM + chain, optionally private key or a passphrase-protected PKCS#12 bundle), the same way SSH ships PEM files to a box.
AWS ACM module
Imports (and on renewal re-imports) the certificate into AWS Certificate Manager. AWS propagates a same-ARN re-import to every attached resource โ CloudFront, ALB/ELB, API Gateway โ so no CloudFront/ELB API calls are needed.